Recentapps registry forensics windows#
The MRU data that will be covered here is recovered from the Windows Registry. This is why MRU artifacts are so valuable to digital forensic examiners.Īs with many operating system artifacts, this data is not created for our use in forensic investigations, but they are often useful in supporting our theories surrounding user activity, specifically file and folder knowledge, on a Windows computer.Īs with other artifacts featured in this series, it is worth repeating that it often takes more than one artifact to support an investigation. A date and time associated with the interaction of a file or folder can help create a timeline of activity on a particular device or serve as a pivot into AXIOM’s Timeline functionality. It is a method for supporting our theory of the user’s behavior on a system.Īnalyzing files and folders which have been opened or browsed using Windows file explorer may help in the quest to determine what occurred on a computer around an important investigative moment in time. This is fortunate for examiners, because profiling user activity is something digital forensic examiners are often tasked with to corroborate what we believe happened on a computer. MRU artifacts, or Most Recently Used are a variety of artifacts tracked by modern Windows operating systems that provide crucial details regarding the user’s interaction with files, folders, and programs that may have been executed using the Windows Run utility.
0 kommentar(er)
